About regular expressions with field extractions

Inline and transform field extractions require regular expressions with the names of the fields that they extract.

In inline field extractions, the regular expression is in props.conf. You have one regular expression per field extraction configuration.

In transform extractions, the regular expression is separated from the field extraction configuration. The regular expression is in transforms.conf while the field extraction is in props.conf. This means that you can apply one regular expression to multiple field extraction configurations, or multiple regular expressions to one field extraction configuration.

Regular expressions

When you set up field extractions through configuration files, you must provide the regular expression. You can design them so that they extract two or more fields from the events that match them. You can test your regular expression by using the rex search command.

The capturing groups in your regular expression must identify field names that contain alpha-numeric characters or an underscore.

Proper field name syntax

Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk Enterprise internal variables.

Splunk software applies key cleaning to fields that are extracted at search time. When key cleaning is enabled, Splunk Enterprise removes all leading underscores and 0-9 characters from extracted fields. Key cleaning is enabled by default.

Comments

About regular expressions with field extractions

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »